Atlassian disclosed a high-severity vulnerability that exists in multiple versions of their Confluence Data Center and Server.
The CVE for this vulnerability was assigned with CVE-2024-21683 and the severity was given as 8.3 (High).
Confluence has addressed this vulnerability in the latest versions of Confluence Data Center and Server and released necessary patches. However, researchers have discovered a method to exploit this vulnerability.
Technical Analysis – CVE-2024-21683
According to the advisory, this vulnerability was associated with Remote code execution on Confluence Data Center, which allows an authenticated threat actor with a certain level of privileges to execute arbitrary commands on the affected devices.
To successfully exploit this vulnerability, a threat actor requires network access to the vulnerable system and the privilege to add new macro language as a prerequisite.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
This “Add a new language” function of the “Configure Code Macro” section allows users to upload a new code block macro language to customise the formatting and syntax highlighting.
However, an authenticated attacker can upload a malicious Javascript file to this functionality, which will inject malicious Java code on the affected devices.
Add a new language option (Source: SonicWall)
This exploitation can be done by crafting a malicious JS file with a code to inject such as java.lang.Runtime.getRuntime().exec(”touch /tmp/poc”) which will be executed when uploaded to the server. This execution happens due to insufficient validation of the file.
This malicious java code is sent for evaluation to the “parseLanguage” method of “RhinoLanguageParser” class which exists in the WEB-INF/atlassian-bundled-plugins/com.atlassian.confluence.ext.newcode-macro-plugin-5.0.1.jar!/com/atlassian/confluence/ext/code/languages/impl/RhinoLanguageParser.class location.
RhinoParser Evaluation (Source: SonicWall)
Further, the “script” variable is formed and the “evaluateString” method will process the malicious java code. This “evaluateString” method will then pass the code to the “doTopCall” method of “ScriptRuntime” class.
The “doTopCall” method will execute this malicious java code that will result in arbitrary code execution on the vulnerable.
However, this vulnerability has been patched on the latest versions of Confluence Data Center and Server.
Affected Products And Fixed In Versions
ProductAffected versionsFixed versionsConfluence Data Center8.9.0from 8.8.0 to 8.8.1from 8.7.0 to 8.7.2from 8.6.0 to 8.6.2from 8.5.0 to 8.5.8 LTSfrom 8.4.0 to 8.4.5from 8.3.0 to 8.3.4from 8.2.0 to 8.2.3from 8.1.0 to 8.1.4from 8.0.0 to 8.0.4from 7.20.0 to 7.20.3from 7.19.0 to 7.19.21 LTSfrom 7.18.0 to 7.18.3from 7.17.0 to 7.17.5Any earlier versions8.9.18.9.18.9.18.9.18.9.1 or 8.5.9 LTS recommended8.9.1 or 8.5.9 LTS recommended8.9.1 or 8.5.9 LTS recommended8.9.1 or 8.5.9 LTS recommended8.9.1 or 8.5.9 LTS recommended8.9.1 or 8.5.9 LTS recommended8.9.1 or 8.5.9 LTS recommended8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTSConfluence Serverfrom 8.5.0 to 8.5.8 LTSfrom 8.4.0 to 8.4.5from 8.3.0 to 8.3.4from 8.2.0 to 8.2.3from 8.1.0 to 8.1.4from 8.0.0 to 8.0.4from 7.20.0 to 7.20.3from 7.19.0 to 7.19.21 LTSfrom 7.18.0 to 7.18.3from 7.17.0 to 7.17.5Any earlier versions8.5.9 LTS recommended8.5.9 LTS recommended8.5.9 LTS recommended8.5.9 LTS recommended8.5.9 LTS recommended8.5.9 LTS recommended8.5.9 LTS recommended8.5.9 LTS recommended or 7.19.22 LTS8.5.9 LTS recommended or 7.19.22 LTS8.5.9 LTS recommended or 7.19.22 LTS8.5.9 LTS recommended or 7.19.22 LTS
It is recommended that Confluence users upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.
Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo